On Sat, 2014-01-25 at 10:00 -0800, John R Pierce wrote:
re: your intrusion detection system, mod_evasive is a useful tool for creating such.
Mine works like this:
1. All errors 301, 302, 400, 401, 403, 500 etc are send to a standard PHP file
ErrorDocument 401 /error.php?code=401
2. In that php file, the original HTTP method etc. are extracted
$code = $_GET['code']; $method0 = @$_SERVER['REDIRECT_REQUEST_METHOD']; $method = $_SERVER['REQUEST_METHOD']; $mm = date('m'); $webpage = $_SERVER["REQUEST_URI"]; if(!$webpage) $webpage="(none)";
3. If the web page requested is one of the usual 'php.....' or other frequent ones, the banned variable is set.
4. If it HTML activity on an IP address and not on a valid domain name, the banned variable is set.
5. Ditto if the Method is not allowed, example POST, CONNECT etc.
6.
if($ban) { $ipx = $ip1; exec("sudo -u root -t pts/1 /sbin/iptables -A 1banned.".$mm." -j DROP -s ".$ipx); }
7. There are 12 banned tables in IPtables for port 80 traffic. One for every month. Every month a new table is populated with banned IP addresses. The current month (January) is named banned.01
8. I keep the contents (the banned IPs) for about a month, then flush the table (emptying it).
9. Data Centres are blocked permanently for all port 80 traffic. I allow known major crawlers.
That is the essence of my system. Its 5? years of refinements. It catches virtually all hackers after their first attempt. I tried filtering within IPtables but its difficult to read and blocking is also difficult to read. My current system is readable, easily maintainable and flexible.
My system also creates an email ready for sending to the IP's abuse contact. Just have to copy and paste into a database's webform and press 'send'. Have just complained; it took 1 minute 18 seconds - from opening the warning email to pressing 'send' - to email a very comprehensive report.
--------------------------------------- Date & time = Saturday, 25 January 2014 20:21:21 UTC (GMT +00:00) Server name = ddddddddd.com Server IP = 123.123.123.123 Submitted host name = ddddddddd.com Submitted page name = /components/com_content/router.php
From web page = (none)
Browser = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Remote host = 5.45.72.16 Remote address = 5.45.72.16 Remote name = 5.45.72.16 Location = , Netherlands. Remote port = 56067 Remote protocol = HTTP/1.0 IP2 host = - IP2 address = - Forwarded-for host = - Forwarded-for address = - HTML status code = 404 HTML method = GET
---------------------------------------
Its a Data Centre so 5.45.72.0/22 is now blocked. Just want a quiet and enjoyable life :-)
Probably publish my set-up sometime this year.